/
global-autoescape-off.yaml
39 lines (39 loc) · 1.14 KB
/
global-autoescape-off.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
rules:
- id: global-autoescape-off
message: >-
Autoescape is globally disbaled for this Django application. If you are
rendering any web pages, this exposes your application to cross-site
scripting (XSS) vulnerabilities. Remove 'autoescape: False' or set it
to 'True'.
metadata:
cwe:
- "CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')"
owasp:
- A07:2017 - Cross-Site Scripting (XSS)
- A03:2021 - Injection
references:
- https://docs.djangoproject.com/en/3.1/ref/settings/#templates
- https://docs.djangoproject.com/en/3.1/topics/templates/#django.template.backends.django.DjangoTemplates
category: security
technology:
- django
cwe2022-top25: true
cwe2021-top25: true
subcategory:
- audit
likelihood: LOW
impact: MEDIUM
confidence: LOW
languages:
- python
severity: WARNING
patterns:
- pattern: |
{..., 'BACKEND': ..., 'OPTIONS': {..., 'autoescape': $FALSE, ...}, ...}
- metavariable-pattern:
metavariable: $FALSE
pattern: |
False
- focus-metavariable: $FALSE
fix: |
True